The Council of the EU failed to make any progress towards the adoption of an agreed negotiating position on the Data Protection Regulation at its meeting on Friday, 6 December 2013. While momentum had begun to build following the vote by the EU Parliament’s LIBE Committee in October, expectations of progress within the Council were dampened by the formal agenda circulated before the Justice and Home Affairs (JHA) Committee met, which tabled a review of the current state of play and detailed discussion of the one-stop-shop issue. Continue Reading
With the new year fast approaching, the Federal Trade Commission (FTC) and the National Telecommunications & Information Administration (NTIA), a bureau within the Department of Commerce, recently announced a number of privacy initiatives for 2014 that will break new ground for both agencies and will impact a wide array of industries. Continue Reading
A recent survey from the UK Government’s Department for Business, Innovation & Skills has highlighted that the majority of FTSE 350 firms are not regularly taking cyber risks into account in their decision making. Despite a growing international trend in cyber crime targeted at businesses, the survey showed that only 14 percent of FTSE 350 companies regularly consider cyber threats, and nearly half of those surveyed do not even include cyber risks on their company’s strategic risk register. Continue Reading
The continued uncertainty around the draft EU Data Protection Regulation presents something of a challenge for data controllers. It’s clear that it could require them to make significant changes to how they handle individuals’ data, but the ongoing fundamental political disagreements make it difficult to predict which changes will make it into the final form of the legislation. So it is interesting to see the recommendations on the UK ICO’s blog on where to start in preparing for reforms, highlighting three areas: consent, breach notification, and privacy by design. Continue Reading
On November 27, the European Commission released a strategy memo on rebuilding trust in the mechanisms allowing data to flow from the European Union (“EU”) to the United States. The Commission recognizes that EU-U.S. data flows are essential to the strategic and economic partnerships between the two markets. However, revelations about U.S. surveillance programs have, according to the Commission, caused EU Member States and citizens to believe that the current data transfer mechanisms do not provide adequate protections for personal data. To address those concerns and rebuild trust in transatlantic data flows, the Commission recommends six initiatives, including specific recommendations for reforming the U.S. privacy framework.
Earlier this month, the Payment Card Industry Security Standards Council (PCI SSC) released Version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS), which includes several enhanced security requirements that will affect how businesses protect payment card data in their systems. The updated standard calls upon businesses to take a more active role in security compliance. It also addresses several common vulnerabilities in the cardholder data environment, including weak passwords, fallible authentication methods, unpatched malware protection, and inadequate threat monitoring practices. The end result is a standard that gives businesses a clearer, yet more stringent, set of baseline requirements for protecting cardholder data. Compliance with Version 3.0 is required as of January 1, 2015, although some of the new requirements will not go into effect until July 1, 2015. Until then, they are recommended as best practices.
On 20 November 2013, Hogan Lovells hosted a cybersecurity seminar at its London offices, gathering a panel of experts in the field to discuss a subject that has become a growing concern for businesses worldwide. The seminar sought to address the cyber risks currently facing businesses, what businesses should do if a cyber attack occurs, the legal issues a business should consider when responding to a cyber attack, and the options for protecting a business with cyber risk and data protection insurance. Continue Reading
The EU’s Work on Data Protection Reform continues following the vote of the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 21 October 2013 to adopt compromise amendments. The 104 compromise amendments represent a consolidation of proposals submitted by various European Parliament committees. Following up on our initial report, Hogan Lovells has prepared a detailed analysis of the compromise amendments approved by the LIBE committee. Continue Reading
A new paper published by the Future of Privacy Forum examines the appropriate privacy paradigm for the world of the Internet of Things. The paper was co-authored by Hogan Lovells Privacy and Information Management practice leader Christopher Wolf who also is the founder and co-chair of the Future of Privacy Forum (with co-author Jules Polonetsky). The paper was released in conjunction with the FTC workshop on the Internet of Things.
The whitepaper posits that current implementations of Fair Information Practice Principles (FIPPs) are not easy adapted in the world of the Internet of Things, where nearly every device or appliance will be connected to the internet and collecting data about consumers. Attempting to provide meaningful “notice” in a world of billions of connected devices is not feasible when many devices lack meaningful user interfaces or screens, and relying on consumers to read thousands of Privacy Policies will lead to many simply “giving up” on their privacy. Similarly, FIPP’s strict usage limitations may thwart technological progress, because many socially valuable uses of data are not discovered until the data is already collected. The challenge then is to allow practices that will support progress, while providing appropriate controls over those practices that should be forestalled or constrained by appropriate consent. Continue Reading
Invited to speak at a workshop convened by the National Institute for Standards and Technology (NIST), Hogan Lovells partner and Future of Privacy Forum advisory board member Harriet Pearson yesterday commended NIST for its thoughtful efforts on the Framework, endorsed the consideration of privacy in cybersecurity efforts, and shared a strawperson privacy methodology for discussion with workshop participants. Continue Reading